We have supplied the username, password and database name for the postgres service by setting the POSTGRES_USER, POSTGRES_PASSWORD and POSTGRES_DB environment variables (have a look a postgres docker image documentation to see other environment variables which can be used).

You may have noticed that the sensitive details for our database are in plain text for all the world to see. This is poor practice and should only be done for local deployments of containers. In the next section, we will be modifying this example to use secrets.

Securing Our Swarm With Secrets

Let’s dive right in and see how to create secrets.

Open a terminal window and create a secret for the username by typing the following command:

echo "myuser" | docker secret create pg_user -

We have used the docker secret create command above to create a secret called pg_user. The dash “-” at the end of the command is important, it lets docker know that the data for the secret is being taken from stdin.

To view the secret, type the following command:

docker secret ls

You should see a similar output displayed:

ID NAME CREATED UPDATED
dv82o89ngapgr9lrxm6987uqh pg_user 5 days ago 5 days ago

Let’s create the remaining secrets for password and database name:

echo "mysupersecretpassword" | docker secret create pg_password -

echo "mydatabase" | docker secret create pg_database -

Now we need to modify the compose file to use the secrets we created, see below:

Post navigation

3 thoughts on “Secrets Of The Swarm”

Can I create per-stack secrets, so I can have a stack.yml file, launch it with ‘docker stack deploy -c stack.yml staging_stack’, followed by a ‘docker stack deploy -c stack.yml production_stack’ and have them use different values for the same variables?